fix(security): vulnerabilities found in example-carbon-accounting

[zondervancalvez]

List of vulnerabilities found in example-carbon-accounting image during Azure Container scan. <html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

VULNERABILITY ID | PACKAGE NAME | SEVERITY -- | -- | -- CVE-2021-39167 | @openzeppelin/contracts | CRITICAL CVE-2021-41264 | @openzeppelin/contracts | CRITICAL CVE-2021-46320 | @openzeppelin/contracts | HIGH CVE-2022-21676 | engine.io | HIGH CVE-2021-3918 | json-schema | CRITICAL CVE-2021-30246 | jsrsasign | CRITICAL CVE-2022-24771 | node-forge | HIGH CVE-2022-24772 | node-forge | HIGH CVE-2021-23358 | underscore | HIGH

[petermetz]

P4 because this container image is not meant to be used in production.

[zondervancalvez]

@petermetz please assign this to me. Thank you

[zondervancalvez]

CVE-2021-39167, CVE-2021-41264, CVE-2021-46320 are currently fixed in our package version.

CVE-2022-21676 is currently fixed in our package version.

CVE-2021-3918 is currently fixed in our package version.

CVE-2021-30246 is currently fixed in our package version.

CVE-2022-24771, CVE-2022-24772 requires 1.1.0 release. Depends on #2054

CVE-2021-23358 was already fixed in PR #1816. Requires 1.1.0 release. Depends on #2054

[AbhinavMir]

Could we possible modify vulnerability tables to include a local ID, such as this?

local_ID	VULNERABILITY ID	PACKAGE NAME	SEVERITY
1	CVE-2021-39167	@openzeppelin/contracts	CRITICAL

Will be easier to cross reference what isn't an issue and what is.

[aldousalvarez]

Hello @petermetz I tried to scan the latest available version for carbon accounting backend which is v1.1.3. The result of the scan shows that some of the vulnerabilities detected in the packages in the of carbon accounting backend we have already the fixed version or greater than based on checking the latest changes in our package.json with our latest commit. So I think we just need to issue a new release for carbon accounting backend to be able to see if there are still remaining vulnerabilities with the latest changes that we have and so that we would scan the latest and updated version.

[petermetz]

P4 because this container image is not meant to be used in production.

@aldousalvarez Gotcha, I marked it as dependent on the issuance of the new release which will then allow you to run the scan against the latest npm package with the updated dependencies. In the meantime please work with @jagpreetsinghsasan to pick up another task.

[petermetz]

@aldousalvarez I've managed to publish v2.0.0-alpha.1 to npm for all the packages, please re-test with those! https://www.npmjs.com/package/@hyperledger/cactus-example-carbon-accounting-backend?activeTab=versions

[aldousalvarez]

@petermetz Based on the trivy scan on version 1.1.3 the vulnerabilities has a Total of 16 (HIGH: 14, CRITICAL: 2)

After testing the version 2.0.0-alpha.1 after this scan the total remaining vulnerabilities is Total: 13 (HIGH: 11, CRITICAL: 2)

After checking the results based on the latest scan (version 2.0.0-alpha.1) the package.json of carbon-accounting-backend @openzeppelin/contracts (package.json) is already "4.9.3", but on the scan it says that the installed version is 4.7.3

And the rest cannot be found on the package.json so it cannot be fixed or upgraded http-cache-semantics (package.json) qs (package.json) socket.io-parser (package.json)

[aldousalvarez]

Depends on #2718

Waiting for that issue to be merged and then a new package version release that has the updated dependencies which uses the fixed version of http-cache-semantics

[petermetz]

@aldousalvarez FYI: 2.0.0-alpha.2 is out now, but it still has the http cache semantics issue IIRC. Stay tuned for RC.1